Cigital

Code scanning is one leg of the table.
Code review is another. You could apply
http://www.multicians.org/thvv/nasty.html
and replace “quality” by “security.”

We could write zero defect code that does exactly what we want
but often choose not to: too hard, takes too long.

Even if we do everything right, there will still be bugs
because sometimes we don’t want the right things.

Agreed. I suppose when I think code scanning (and say it) I really mean code review. A fool with a tool is still a fool!

gem

Even though I am totally lost reading your comments on online poker, I am so excited and pleased to see that someone is addressing the problem of how the cards are dealt and how far removed the game is from sitting down and playing at a holdem table with a real deck of cards. I have been playing poker almost all my life and knew that the hands being delt online were not following the trend of a real game being dealt by a real person using a real deck of cards. Some of the things I’ve seen online defy all odds. Now that you have enlightened me on at least some of the problems, can you comment on whether or not there are any fair online poker sites in your opinion and also are some poker games less affected than others. By that I mean for example is five card draw less affected than holde or ohmaha. You have been very helpful, I only wish I understood computers a little better.
Thanks again,
Patrick

Hi Patrick,

I’m not really sure what you’re talking about…perhaps a different article? But anyway, to learn more about what we did to move online poker in the right direction, see:

http://www.cigital.com/papers/download/developer_gambling.php

Also note that my book “Exploiting Online Games” has some discussion of poker security as well. Hope that helps.

gem

To everybody else,

For those of you following this thread for what it really is…

You might be interested in an expanded version of this posting recently published as a darkreading article:

http://www.darkreading.com/document.asp?doc_id=146053&WT.svl=column1_1

gem

Gary said
> Code scanning tools can only find bugs. Can a code scanning
> tool determine that no user authentication was performed? How
> about whether or not a playback attack will work? (Just for
> the record, the answer is “no way??? in both cases.)

You have some particular kind of “code scanning” in mind. Rule based tools that have a rule requiring authentication would notice if it was missing. Code review can range across
- hey Gary, do you see anything wrong with this program?
- let’s run BugFinderMax over this module
- let’s apply a Belady-style formal inspection with a project tailored checklist
and many other variations.

Different code review processes will miss different bugs and find others, whether implemented in silicon, rulebook, or experienced person. It is a mistake to think that any method will solve problems that not explicitly targeted.

I bet there is a theorem here: given a bug finding tool, there is a bug it can’t find; given a bug, a tool can be constructed to find it.

Hi Tom,

I’m pretty sure that what you’re suggesting can be done to find out whether authentication code is present is an NP-hard problem (not to mention AI-Complete). You’re right that I was addressing automatic code review with a static analysis tool like Fortify or Coverity.

In any case, I am more concerned about our inability to find FLAWS than our ability to find all BUGS.

gem